SlideShare a Scribd company logo

Análise de malware com suporte de hardware

Marcus Botacin
Marcus Botacin

Slides da minha apresentação no IC/UNICAMP, em 2017, referentes a defesa da minha dissertação de mestrado "Hardware-Assisted Malware Analysis"

Science
1 of 68
Download to read offline
Introduction Research Final Remarks Hardware-Assisted Malware Analysis Marcus Botacin1, Andr´e Gr´egio3, Paulo L´ıcio de Geus2 1Msc. Candidate Institute of Computing - UNICAMP {marcus}@lasca.ic.unicamp.br 2Advisor Institute of Computing - UNICAMP {paulo}@lasca.ic.unicamp.br 3Co-Advisor Federal University of Paran´a (UFPR) gregio@inf.ufpr.br July 28th, 2017 Hardware-Assisted Malware Analysis IC-UNICAMP
Introduction Research Final Remarks Topics 1 Introduction Malware Malware Analysis Anti-Analysis Transparency 2 Research A Survey Branch Monitoring 3 Final Remarks Conclusions Future Work Acknowledgments Hardware-Assisted Malware Analysis IC-UNICAMP
Introduction Research Final Remarks Malware Topics 1 Introduction Malware Malware Analysis Anti-Analysis Transparency 2 Research A Survey Branch Monitoring 3 Final Remarks Conclusions Future Work Acknowledgments Hardware-Assisted Malware Analysis IC-UNICAMP
Introduction Research Final Remarks Malware Malware Threats. Figure: Washington Post: https://tinyurl.com/ljo7ekm Figure: BBC: https://tinyurl.com/mfogjhe Hardware-Assisted Malware Analysis IC-UNICAMP
Introduction Research Final Remarks Malware Analysis Topics 1 Introduction Malware Malware Analysis Anti-Analysis Transparency 2 Research A Survey Branch Monitoring 3 Final Remarks Conclusions Future Work Acknowledgments Hardware-Assisted Malware Analysis IC-UNICAMP
Introduction Research Final Remarks Malware Analysis Malware Analysis. Figure: Imperva: https://tinyurl.com/zkbsnl2 Figure: Enigma: https://tinyurl.com/kydgwve Hardware-Assisted Malware Analysis IC-UNICAMP
Introduction Research Final Remarks Malware Analysis More specifically... Static Analysis Analyzing without executing it. Dynamic Analysis Analyzing by executing it. Hardware-Assisted Malware Analysis IC-UNICAMP
Introduction Research Final Remarks Anti-Analysis Topics 1 Introduction Malware Malware Analysis Anti-Analysis Transparency 2 Research A Survey Branch Monitoring 3 Final Remarks Conclusions Future Work Acknowledgments Hardware-Assisted Malware Analysis IC-UNICAMP
Introduction Research Final Remarks Anti-Analysis Malware Analysis. Figure: Themerkle: https://tinyurl.com/kasuxcr Figure: Forbes: https://tinyurl.com/l7ecrex Hardware-Assisted Malware Analysis IC-UNICAMP
Introduction Research Final Remarks Anti-Analysis What happens to static analysis? Control Flow Obfuscation Listing 1: Control flow obfuscation example. 1 entry : xor eax , eax 2 jnz %l 1 3 l 1 : xor eax , eax 4 jnz %l 2 5 l 2 : xor eax , eax 6 jnz %l 3 7 ln : . . . Hardware-Assisted Malware Analysis IC-UNICAMP
Introduction Research Final Remarks Anti-Analysis What happens to static analysis? Path Explosion Figure: Source Image: https://tinyurl.com/n52fz5r Hardware-Assisted Malware Analysis IC-UNICAMP
Introduction Research Final Remarks Anti-Analysis What happens to dynamic analysis? Debugger Detection Listing 2: Anti-debug example. 1 i f ( IsDebuggerPresent () ) 2 p r i n t f (” debuggedn ”) ; VM Detection Listing 3: Anti-vm example. 1 cpuid (0 x40000000 , &eax , &ebx , &ecx , &edx ) ; 2 memcpy( h y p e r v e n d o r i d + 0 , &ebx , 4) ; 3 i f ( ! strcmp ( hyper vendor id , ”VMwareVMware”) ) 4 p r i n t f (”VMn ”) ; Hardware-Assisted Malware Analysis IC-UNICAMP
Introduction Research Final Remarks Anti-Analysis And then... Figure: Real malware claiming a registry problem when an anti-analysis trick succeeded. Hardware-Assisted Malware Analysis IC-UNICAMP
Introduction Research Final Remarks Anti-Analysis And then... Figure: Commercial solution armored with anti-debug technique. Hardware-Assisted Malware Analysis IC-UNICAMP
Introduction Research Final Remarks Anti-Analysis And then... Figure: Real malware impersonating a secure solution which cannot run under an hypervisor. Hardware-Assisted Malware Analysis IC-UNICAMP
Introduction Research Final Remarks Transparency Topics 1 Introduction Malware Malware Analysis Anti-Analysis Transparency 2 Research A Survey Branch Monitoring 3 Final Remarks Conclusions Future Work Acknowledgments Hardware-Assisted Malware Analysis IC-UNICAMP
Introduction Research Final Remarks Transparency Definitions 1 Higher privileged. 2 No non-privileged side-effects. 3 Identical Basic Instruction Semantics. 4 Transparent Exception Handling. 5 Identical Measurement of Time. Hardware-Assisted Malware Analysis IC-UNICAMP
Introduction Research Final Remarks A Survey Topics 1 Introduction Malware Malware Analysis Anti-Analysis Transparency 2 Research A Survey Branch Monitoring 3 Final Remarks Conclusions Future Work Acknowledgments Hardware-Assisted Malware Analysis IC-UNICAMP
Introduction Research Final Remarks A Survey HVM Figure: Type-1 Hypervisor. Source: https://tinyurl.com/ku7oho5 Hardware-Assisted Malware Analysis IC-UNICAMP
Introduction Research Final Remarks A Survey HVM Figure: HVM operating layers . Hardware-Assisted Malware Analysis IC-UNICAMP
Introduction Research Final Remarks A Survey HVM Figure: HVM memory operation. Hardware-Assisted Malware Analysis IC-UNICAMP
Introduction Research Final Remarks A Survey HVM Figure: Ether’s architecture. Hardware-Assisted Malware Analysis IC-UNICAMP
Introduction Research Final Remarks A Survey HVM Figure: Fattori’s architecture. Hardware-Assisted Malware Analysis IC-UNICAMP
Introduction Research Final Remarks A Survey HVM Figure: Fattori’s traceable events. Hardware-Assisted Malware Analysis IC-UNICAMP
Introduction Research Final Remarks A Survey HVM Figure: Fattori’s techniques. Hardware-Assisted Malware Analysis IC-UNICAMP
Introduction Research Final Remarks A Survey HVM Figure: MAVMM’s overhead. Hardware-Assisted Malware Analysis IC-UNICAMP
Introduction Research Final Remarks A Survey SMM Figure: Operation modes. Source: https://tinyurl.com/l2uqr8d Hardware-Assisted Malware Analysis IC-UNICAMP
Introduction Research Final Remarks A Survey SMM Figure: SMIs. Source: https://tinyurl.com/kuqlmau Hardware-Assisted Malware Analysis IC-UNICAMP
Introduction Research Final Remarks A Survey Battle of the rings Figure: Processor rings. Source: https://tinyurl.com/mzjezkg Hardware-Assisted Malware Analysis IC-UNICAMP
Introduction Research Final Remarks A Survey AMT/ME Figure: Arstechnica. Source: https://tinyurl.com/kc62fw8 Hardware-Assisted Malware Analysis IC-UNICAMP
Introduction Research Final Remarks A Survey SGX Figure: SGX enclaves. Source: https://tinyurl.com/ln6eb4g Hardware-Assisted Malware Analysis IC-UNICAMP
Introduction Research Final Remarks A Survey External Hardware Figure: JTAG. Source: https://tinyurl.com/m8r79e8 Hardware-Assisted Malware Analysis IC-UNICAMP
Introduction Research Final Remarks A Survey Branch Monitor Figure: Branch Stack. Hardware-Assisted Malware Analysis IC-UNICAMP
Introduction Research Final Remarks A Survey Performance Monitor Figure: PMU-based side-effect detection. Source: https://tinyurl.com/m9zgphk Hardware-Assisted Malware Analysis IC-UNICAMP
Introduction Research Final Remarks A Survey GPUs Figure: GPU. Source: https://tinyurl.com/lnhufn9 Hardware-Assisted Malware Analysis IC-UNICAMP
Introduction Research Final Remarks A Survey TSX Figure: TSX-based CFI. Source: https://tinyurl.com/l8jfycj Hardware-Assisted Malware Analysis IC-UNICAMP
Introduction Research Final Remarks Branch Monitoring Topics 1 Introduction Malware Malware Analysis Anti-Analysis Transparency 2 Research A Survey Branch Monitoring 3 Final Remarks Conclusions Future Work Acknowledgments Hardware-Assisted Malware Analysis IC-UNICAMP
Introduction Research Final Remarks Branch Monitoring Proposed Framework Figure: Proposed framework architecture. Hardware-Assisted Malware Analysis IC-UNICAMP
Introduction Research Final Remarks Branch Monitoring Could I develop a performance-counter-based malware analyzer? Could I isolate processes’ actions? Figure: Data Storage (DS) AREA. Hardware-Assisted Malware Analysis IC-UNICAMP
Introduction Research Final Remarks Branch Monitoring Could I develop a performance-counter-based malware analyzer? Could I isolate processes’ actions? Figure: Local Vector Table (LVT). Hardware-Assisted Malware Analysis IC-UNICAMP
Introduction Research Final Remarks Branch Monitoring Could I develop a performance-counter-based malware analyzer? Is CG reconstruction possible? Table: ASLR - Library placement after two consecutive reboots. Library NTDLL KERNEL32 KERNELBASE Address 1 0xBAF80000 0xB9610000 0xB8190000 Address 2 0x987B0000 0x98670000 0x958C0000 Hardware-Assisted Malware Analysis IC-UNICAMP
Introduction Research Final Remarks Branch Monitoring Could I develop a performance-counter-based malware analyzer? Is CG reconstruction possible? Table: Function Offsets from ntdll.dll library. Function Offset NtCreateProcess 0x3691 NtCreateProcessEx 0x30B0 NtCreateProfile 0x36A1 NtCreateResourceManager 0x36C1 NtCreateSemaphore 0x36D1 NtCreateSymbolicLinkObject 0x36E1 NtCreateThread 0x30C0 NtCreateThreadEx 0x36F1 Hardware-Assisted Malware Analysis IC-UNICAMP
Introduction Research Final Remarks Branch Monitoring Could I develop a performance-counter-based malware analyzer? Is CG reconstruction possible? Figure: Introspection Mechanism. Hardware-Assisted Malware Analysis IC-UNICAMP
Introduction Research Final Remarks Branch Monitoring Could I develop a performance-counter-based malware analyzer? Is CG reconstruction possible? _lock_file+0x90printf+0xe3__iob_funcprintf+0xcaprintfNewToy Figure: Step Into. scanf+0x3f NewToy printf Figure: Step Over. Hardware-Assisted Malware Analysis IC-UNICAMP
Introduction Research Final Remarks Branch Monitoring Is CFG reconstruction possible? Figure: Code block identification. Hardware-Assisted Malware Analysis IC-UNICAMP
Introduction Research Final Remarks Branch Monitoring Is the final solution transparent? Identified tricks Listing 4: Fake Conditional. 1 0x190 xor eax , eax 2 0x192 jnz 0x19c Listing 5: Control Flow Change. 1 0x180 push 0x10a 2 0x185 r e t Hardware-Assisted Malware Analysis IC-UNICAMP
Introduction Research Final Remarks Branch Monitoring Is the final solution transparent? Identified tricks Listing 6: Hook Detection. 1 0x340 cmp eax ,0 xe9 2 0x345 jnz 0x347 Listing 7: Hardware Debugger Detection. 1 0x400 QWORD PTR f s :0 x0 , rsp 2 0x409 mov rax ,QWORD PTR [ rsp+0xc ] 3 0x40e cmp rbx ,QWORD PTR [ rax+0x4 ] Hardware-Assisted Malware Analysis IC-UNICAMP
Introduction Research Final Remarks Branch Monitoring Is the final solution transparent? Deviating Behavior Figure: Deviating behavior identification. Hardware-Assisted Malware Analysis IC-UNICAMP
Introduction Research Final Remarks Branch Monitoring Is the final solution transparent? Deviating Behavior Figure: Divergence: True Positive. Figure: Divergence: False Positive. Hardware-Assisted Malware Analysis IC-UNICAMP
Introduction Research Final Remarks Branch Monitoring Could I develop a Debugger? Inverted I/O Figure: Debugger’s working mechanism. Hardware-Assisted Malware Analysis IC-UNICAMP
Introduction Research Final Remarks Branch Monitoring Could I develop a Debugger? Suspending Processes EnumProcessThreads + SuspendThread. DebugActiveProcess. NtSuspendProcess. Hardware-Assisted Malware Analysis IC-UNICAMP
Introduction Research Final Remarks Branch Monitoring Could I develop a Debugger? Integration Figure: GDB integration. Hardware-Assisted Malware Analysis IC-UNICAMP
Introduction Research Final Remarks Branch Monitoring Does the solution handle ROP attacks? ROP Attacks Figure: ROP chain example. Hardware-Assisted Malware Analysis IC-UNICAMP
Introduction Research Final Remarks Branch Monitoring Does the solution handle ROP attacks? CALL-RET Policy Figure: CALL-RET CFI policy. Hardware-Assisted Malware Analysis IC-UNICAMP
Introduction Research Final Remarks Branch Monitoring Does the solution handle ROP attacks? Gadget-size policy Figure: KBouncer’s exploit stack. Hardware-Assisted Malware Analysis IC-UNICAMP
Introduction Research Final Remarks Branch Monitoring Does the solution handle ROP attacks? Exploit Analysis Table: Excerpt of the branch window of the ROP payload. FROM TO —- 0x7c346c0a 0x7c346c0b 0x7c37a140 0x7c37a141 —- Hardware-Assisted Malware Analysis IC-UNICAMP
Introduction Research Final Remarks Branch Monitoring Does the solution handle ROP attacks? Exploit Analysis Listing 8: Static disassembly of the MSVCR71.dll library. 1 7 c346c08 : f2 0 f 58 c3 addsd %xmm3,%xmm0 2 7 c346c0c : 66 0 f 13 44 24 04 movlpd %xmm0,0 x4(%esp ) Listing 9: Dynamic disassembly of the MSVC71.dll executed code. 1 0x1000 ( s i z e =1) pop rax 2 0x1001 ( s i z e =1) r e t Hardware-Assisted Malware Analysis IC-UNICAMP
Introduction Research Final Remarks Branch Monitoring Is the solution easy to implement? Lines of Code comparison 100 1000 10000 100000 1×106 Ether:Comp Ether:Xen Ether:Patches Ether:Patch Ether:Ctl MAVMM:Comp MAVMM:Rep Bit:Comp Our:Comp Our:Cli Our:Drv Our:Scr Lines of Code by solution Solution Figure: Lines of Code by solution. Hardware-Assisted Malware Analysis IC-UNICAMP
Introduction Research Final Remarks Branch Monitoring Is the solution portable? Talking about Linux Listing 10: Linux BTS support (Source:https://tinyurl.com/mws6v8x 1 s t a t i c i n i t i n t b t s i n i t ( void ) 2 bts pmu . c a p a b i l i t i e s = PERF PMU CAP AUX NO SG | PERF PMU CAP ITRACE 3 bts pmu . t a s k c t x n r = p e r f s w c o n t e x t ; 4 bts pmu . e v e n t i n i t = b t s e v e n t i n i t ; 5 bts pmu . add = b t s e v e n t a d d ; 6 bts pmu . d e l = b t s e v e n t d e l ; 7 bts pmu . s t a r t = b t s e v e n t s t a r t ; 8 bts pmu . stop = b t s e v e n t s t o p ; 9 bts pmu . read = b t s e v e n t r e a d ; 10 r e t u r n p e r f p m u r e g i s t e r (&bts pmu , 11 ” i n t e l b t s ”,−1) Hardware-Assisted Malware Analysis IC-UNICAMP
Introduction Research Final Remarks Branch Monitoring Is the solution portable? Talking about Linux Listing 11: Linux BTS support (Source:https://tinyurl.com/mx759d7) 1 p e r f i n i t (&pe , MMAP PAGES) ; 2 f c n t l ( g b l s t a t u s . fd evt , F SETOWN, get pid () ) ; 3 monitor loop ( p i d c h i l d , s o u t f i l e ) ; Hardware-Assisted Malware Analysis IC-UNICAMP
Introduction Research Final Remarks Branch Monitoring Is solution’s overhead acceptable? Could the solution run in real-time? Task Base value System monitoring Penalty Benchmark monitoring Penalty Floating-point operations (op/s) 101530464 99221196 2.27% 97295048 4.17% Integer operations (op/s) 285649964 221666796 22.40% 219928736 23.01% MD5 Hashes (hash/s) 777633 568486 26.90% 568435 26.90% RAM transfer (MB/s) 7633 6628 13.17% 6224 18.46% HDD transfer (MB/s) 90 80 11.11% 75 16.67% Overall (benchm. pt) 518 470 9.27% 439 15.25% Hardware-Assisted Malware Analysis IC-UNICAMP
Introduction Research Final Remarks Conclusions Topics 1 Introduction Malware Malware Analysis Anti-Analysis Transparency 2 Research A Survey Branch Monitoring 3 Final Remarks Conclusions Future Work Acknowledgments Hardware-Assisted Malware Analysis IC-UNICAMP
Introduction Research Final Remarks Conclusions Lessons learned Transparency is essential. Hardware-assisted approaches may fulfill transparency requirements. There are open problems on hardware monitoring. Security, performance, and development efforts as trade-offs (really?). Performance monitors as lightweight alternatives. Hardware-Assisted Malware Analysis IC-UNICAMP
Introduction Research Final Remarks Future Work Topics 1 Introduction Malware Malware Analysis Anti-Analysis Transparency 2 Research A Survey Branch Monitoring 3 Final Remarks Conclusions Future Work Acknowledgments Hardware-Assisted Malware Analysis IC-UNICAMP
Introduction Research Final Remarks Future Work And now? Multi-core monitor. Linux Monitor. Malware clustering. Hardware-Assisted Malware Analysis IC-UNICAMP
Introduction Research Final Remarks Future Work Solution’s Availability Figure: Solution’s Availability. Solution is public on github. https://github.com/marcusbotacin/BranchMonitoringProject Hardware-Assisted Malware Analysis IC-UNICAMP
Introduction Research Final Remarks Acknowledgments Topics 1 Introduction Malware Malware Analysis Anti-Analysis Transparency 2 Research A Survey Branch Monitoring 3 Final Remarks Conclusions Future Work Acknowledgments Hardware-Assisted Malware Analysis IC-UNICAMP
Introduction Research Final Remarks Acknowledgments Questions? Hardware-Assisted Malware Analysis IC-UNICAMP

Recommended

Hardware-Assisted Malware Analysis
Hardware-Assisted Malware AnalysisHardware-Assisted Malware Analysis
Hardware-Assisted Malware AnalysisMarcus Botacin
 
Ravel: Pinpointing Vulnerabilities
Ravel: Pinpointing VulnerabilitiesRavel: Pinpointing Vulnerabilities
Ravel: Pinpointing VulnerabilitiesYue Chen
 
The AV says: Your Hardware Definitions were Updated!
The AV says: Your Hardware Definitions were Updated!The AV says: Your Hardware Definitions were Updated!
The AV says: Your Hardware Definitions were Updated!Marcus Botacin
 
Hardware-accelerated security monitoring
Hardware-accelerated security monitoringHardware-accelerated security monitoring
Hardware-accelerated security monitoringMarcus Botacin
 
Tricky sample? Hack it easy! Applying dynamic binary inastrumentation to ligh...
Tricky sample? Hack it easy! Applying dynamic binary inastrumentation to ligh...Tricky sample? Hack it easy! Applying dynamic binary inastrumentation to ligh...
Tricky sample? Hack it easy! Applying dynamic binary inastrumentation to ligh...Maksim Shudrak
 
Among Viruses, Trojans, and Backdoors:Fighting Malware in 2022
Among Viruses, Trojans, and Backdoors:Fighting Malware in 2022Among Viruses, Trojans, and Backdoors:Fighting Malware in 2022
Among Viruses, Trojans, and Backdoors:Fighting Malware in 2022Marcus Botacin
 
Black Energy18 - Russian botnet package analysis
Black Energy18 - Russian botnet package analysisBlack Energy18 - Russian botnet package analysis
Black Energy18 - Russian botnet package analysisRoberto Suggi Liverani
 
Presentation1.2.pptx
Presentation1.2.pptxPresentation1.2.pptx
Presentation1.2.pptxpranaykusuma
 

Recommended

Hardware-Assisted Malware Analysis
Hardware-Assisted Malware AnalysisHardware-Assisted Malware Analysis
Hardware-Assisted Malware AnalysisMarcus Botacin
 
Ravel: Pinpointing Vulnerabilities
Ravel: Pinpointing VulnerabilitiesRavel: Pinpointing Vulnerabilities
Ravel: Pinpointing VulnerabilitiesYue Chen
 
The AV says: Your Hardware Definitions were Updated!
The AV says: Your Hardware Definitions were Updated!The AV says: Your Hardware Definitions were Updated!
The AV says: Your Hardware Definitions were Updated!Marcus Botacin
 
Hardware-accelerated security monitoring
Hardware-accelerated security monitoringHardware-accelerated security monitoring
Hardware-accelerated security monitoringMarcus Botacin
 
Tricky sample? Hack it easy! Applying dynamic binary inastrumentation to ligh...
Tricky sample? Hack it easy! Applying dynamic binary inastrumentation to ligh...Tricky sample? Hack it easy! Applying dynamic binary inastrumentation to ligh...
Tricky sample? Hack it easy! Applying dynamic binary inastrumentation to ligh...Maksim Shudrak
 
Among Viruses, Trojans, and Backdoors:Fighting Malware in 2022
Among Viruses, Trojans, and Backdoors:Fighting Malware in 2022Among Viruses, Trojans, and Backdoors:Fighting Malware in 2022
Among Viruses, Trojans, and Backdoors:Fighting Malware in 2022Marcus Botacin
 
Black Energy18 - Russian botnet package analysis
Black Energy18 - Russian botnet package analysisBlack Energy18 - Russian botnet package analysis
Black Energy18 - Russian botnet package analysisRoberto Suggi Liverani
 
Presentation1.2.pptx
Presentation1.2.pptxPresentation1.2.pptx
Presentation1.2.pptxpranaykusuma
 
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...Lastline, Inc.
 
LO-PHI: Low-Observable Physical Host Instrumentation for Malware Analysis
LO-PHI: Low-Observable Physical Host Instrumentation for Malware AnalysisLO-PHI: Low-Observable Physical Host Instrumentation for Malware Analysis
LO-PHI: Low-Observable Physical Host Instrumentation for Malware AnalysisPietro De Nicolao
 
Network Monitoring System ppt.pdf
Network Monitoring System ppt.pdfNetwork Monitoring System ppt.pdf
Network Monitoring System ppt.pdfkristinatemen
 
network monitoring system ppt
network monitoring system pptnetwork monitoring system ppt
network monitoring system pptashutosh rai
 
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...Maksim Shudrak
 
Hardware-Assisted Application Misbehavior Detection
Hardware-Assisted Application Misbehavior DetectionHardware-Assisted Application Misbehavior Detection
Hardware-Assisted Application Misbehavior DetectionMarcus Botacin
 
GPThreats-3: Is Automated Malware Generation a Threat?
GPThreats-3: Is Automated Malware Generation a Threat?GPThreats-3: Is Automated Malware Generation a Threat?
GPThreats-3: Is Automated Malware Generation a Threat?Marcus Botacin
 
ENPM808 Independent Study Final Report - amaster 2019
ENPM808 Independent Study Final Report - amaster 2019ENPM808 Independent Study Final Report - amaster 2019
ENPM808 Independent Study Final Report - amaster 2019Alexander Master
 
Today
TodayToday
TodaySherin Bennet
 
Opencv
OpencvOpencv
OpencvEthishkumar
 
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022lior mazor
 
IRJET - Analysis of Virtual Machine in Digital Forensics
IRJET - Analysis of Virtual Machine in Digital ForensicsIRJET - Analysis of Virtual Machine in Digital Forensics
IRJET - Analysis of Virtual Machine in Digital ForensicsIRJET Journal
 
H028038042
H028038042H028038042
H028038042researchinventy
 
Attacking Proprietary Android Vendor Customizations
Attacking Proprietary Android Vendor CustomizationsAttacking Proprietary Android Vendor Customizations
Attacking Proprietary Android Vendor CustomizationsRoberto Natella
 
ASIP (Application-specific instruction-set processor)
ASIP (Application-specific instruction-set processor)ASIP (Application-specific instruction-set processor)
ASIP (Application-specific instruction-set processor)Hamid Reza
 
Monitoring Systems & Binaries
Monitoring Systems & BinariesMonitoring Systems & Binaries
Monitoring Systems & BinariesMarcus Botacin
 
The Nightmare Fuzzing Suite and Blind Code Coverage Fuzzer
The Nightmare Fuzzing Suite and Blind Code Coverage FuzzerThe Nightmare Fuzzing Suite and Blind Code Coverage Fuzzer
The Nightmare Fuzzing Suite and Blind Code Coverage FuzzerJoxean Koret
 
Basic malware analysis
Basic malware analysis Basic malware analysis
Basic malware analysis Cysinfo Cyber Security Community
 
Web-Based Online Embedded Security System And Alertness Via Social Media
Web-Based Online Embedded Security System And Alertness Via Social MediaWeb-Based Online Embedded Security System And Alertness Via Social Media
Web-Based Online Embedded Security System And Alertness Via Social MediaIRJET Journal
 
Wireless Bomb Disposal Robot
Wireless Bomb Disposal RobotWireless Bomb Disposal Robot
Wireless Bomb Disposal RobotAbhishek Gupta
 
Machine Learning by Examples - Marcus Botacin - TAMU 2024
Machine Learning by Examples - Marcus Botacin - TAMU 2024Machine Learning by Examples - Marcus Botacin - TAMU 2024
Machine Learning by Examples - Marcus Botacin - TAMU 2024Marcus Botacin
 
Near-memory & In-Memory Detection of Fileless Malware
Near-memory & In-Memory Detection of Fileless MalwareNear-memory & In-Memory Detection of Fileless Malware
Near-memory & In-Memory Detection of Fileless MalwareMarcus Botacin
 

More Related Content

Similar to Análise de malware com suporte de hardware

Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...Lastline, Inc.
 
LO-PHI: Low-Observable Physical Host Instrumentation for Malware Analysis
LO-PHI: Low-Observable Physical Host Instrumentation for Malware AnalysisLO-PHI: Low-Observable Physical Host Instrumentation for Malware Analysis
LO-PHI: Low-Observable Physical Host Instrumentation for Malware AnalysisPietro De Nicolao
 
Network Monitoring System ppt.pdf
Network Monitoring System ppt.pdfNetwork Monitoring System ppt.pdf
Network Monitoring System ppt.pdfkristinatemen
 
network monitoring system ppt
network monitoring system pptnetwork monitoring system ppt
network monitoring system pptashutosh rai
 
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...Maksim Shudrak
 
Hardware-Assisted Application Misbehavior Detection
Hardware-Assisted Application Misbehavior DetectionHardware-Assisted Application Misbehavior Detection
Hardware-Assisted Application Misbehavior DetectionMarcus Botacin
 
GPThreats-3: Is Automated Malware Generation a Threat?
GPThreats-3: Is Automated Malware Generation a Threat?GPThreats-3: Is Automated Malware Generation a Threat?
GPThreats-3: Is Automated Malware Generation a Threat?Marcus Botacin
 
ENPM808 Independent Study Final Report - amaster 2019
ENPM808 Independent Study Final Report - amaster 2019ENPM808 Independent Study Final Report - amaster 2019
ENPM808 Independent Study Final Report - amaster 2019Alexander Master
 
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022lior mazor
 
IRJET - Analysis of Virtual Machine in Digital Forensics
IRJET - Analysis of Virtual Machine in Digital ForensicsIRJET - Analysis of Virtual Machine in Digital Forensics
IRJET - Analysis of Virtual Machine in Digital ForensicsIRJET Journal
 
Attacking Proprietary Android Vendor Customizations
Attacking Proprietary Android Vendor CustomizationsAttacking Proprietary Android Vendor Customizations
Attacking Proprietary Android Vendor CustomizationsRoberto Natella
 
ASIP (Application-specific instruction-set processor)
ASIP (Application-specific instruction-set processor)ASIP (Application-specific instruction-set processor)
ASIP (Application-specific instruction-set processor)Hamid Reza
 
Monitoring Systems & Binaries
Monitoring Systems & BinariesMonitoring Systems & Binaries
Monitoring Systems & BinariesMarcus Botacin
 
The Nightmare Fuzzing Suite and Blind Code Coverage Fuzzer
The Nightmare Fuzzing Suite and Blind Code Coverage FuzzerThe Nightmare Fuzzing Suite and Blind Code Coverage Fuzzer
The Nightmare Fuzzing Suite and Blind Code Coverage FuzzerJoxean Koret
 
Web-Based Online Embedded Security System And Alertness Via Social Media
Web-Based Online Embedded Security System And Alertness Via Social MediaWeb-Based Online Embedded Security System And Alertness Via Social Media
Web-Based Online Embedded Security System And Alertness Via Social MediaIRJET Journal
 
Wireless Bomb Disposal Robot
Wireless Bomb Disposal RobotWireless Bomb Disposal Robot
Wireless Bomb Disposal RobotAbhishek Gupta
 

Similar to Análise de malware com suporte de hardware (20)

Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
 
LO-PHI: Low-Observable Physical Host Instrumentation for Malware Analysis
LO-PHI: Low-Observable Physical Host Instrumentation for Malware AnalysisLO-PHI: Low-Observable Physical Host Instrumentation for Malware Analysis
LO-PHI: Low-Observable Physical Host Instrumentation for Malware Analysis
 
Network Monitoring System ppt.pdf
Network Monitoring System ppt.pdfNetwork Monitoring System ppt.pdf
Network Monitoring System ppt.pdf
 
network monitoring system ppt
network monitoring system pptnetwork monitoring system ppt
network monitoring system ppt
 
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
 
Hardware-Assisted Application Misbehavior Detection
Hardware-Assisted Application Misbehavior DetectionHardware-Assisted Application Misbehavior Detection
Hardware-Assisted Application Misbehavior Detection
 
GPThreats-3: Is Automated Malware Generation a Threat?
GPThreats-3: Is Automated Malware Generation a Threat?GPThreats-3: Is Automated Malware Generation a Threat?
GPThreats-3: Is Automated Malware Generation a Threat?
 
ENPM808 Independent Study Final Report - amaster 2019
ENPM808 Independent Study Final Report - amaster 2019ENPM808 Independent Study Final Report - amaster 2019
ENPM808 Independent Study Final Report - amaster 2019
 
Today
TodayToday
Today
 
Opencv
OpencvOpencv
Opencv
 
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
 
IRJET - Analysis of Virtual Machine in Digital Forensics
IRJET - Analysis of Virtual Machine in Digital ForensicsIRJET - Analysis of Virtual Machine in Digital Forensics
IRJET - Analysis of Virtual Machine in Digital Forensics
 
H028038042
H028038042H028038042
H028038042
 
Attacking Proprietary Android Vendor Customizations
Attacking Proprietary Android Vendor CustomizationsAttacking Proprietary Android Vendor Customizations
Attacking Proprietary Android Vendor Customizations
 
ASIP (Application-specific instruction-set processor)
ASIP (Application-specific instruction-set processor)ASIP (Application-specific instruction-set processor)
ASIP (Application-specific instruction-set processor)
 
Monitoring Systems & Binaries
Monitoring Systems & BinariesMonitoring Systems & Binaries
Monitoring Systems & Binaries
 
The Nightmare Fuzzing Suite and Blind Code Coverage Fuzzer
The Nightmare Fuzzing Suite and Blind Code Coverage FuzzerThe Nightmare Fuzzing Suite and Blind Code Coverage Fuzzer
The Nightmare Fuzzing Suite and Blind Code Coverage Fuzzer
 
Basic malware analysis
Basic malware analysis Basic malware analysis
Basic malware analysis
 
Web-Based Online Embedded Security System And Alertness Via Social Media
Web-Based Online Embedded Security System And Alertness Via Social MediaWeb-Based Online Embedded Security System And Alertness Via Social Media
Web-Based Online Embedded Security System And Alertness Via Social Media
 
Wireless Bomb Disposal Robot
Wireless Bomb Disposal RobotWireless Bomb Disposal Robot
Wireless Bomb Disposal Robot
 

More from Marcus Botacin

Machine Learning by Examples - Marcus Botacin - TAMU 2024
Machine Learning by Examples - Marcus Botacin - TAMU 2024Machine Learning by Examples - Marcus Botacin - TAMU 2024
Machine Learning by Examples - Marcus Botacin - TAMU 2024Marcus Botacin
 
Near-memory & In-Memory Detection of Fileless Malware
Near-memory & In-Memory Detection of Fileless MalwareNear-memory & In-Memory Detection of Fileless Malware
Near-memory & In-Memory Detection of Fileless MalwareMarcus Botacin
 
[HackInTheBOx] All You Always Wanted to Know About Antiviruses
[HackInTheBOx] All You Always Wanted to Know About Antiviruses[HackInTheBOx] All You Always Wanted to Know About Antiviruses
[HackInTheBOx] All You Always Wanted to Know About AntivirusesMarcus Botacin
 
[Usenix Enigma\ Why Is Our Security Research Failing? Five Practices to Change!
[Usenix Enigma\ Why Is Our Security Research Failing? Five Practices to Change![Usenix Enigma\ Why Is Our Security Research Failing? Five Practices to Change!
[Usenix Enigma\ Why Is Our Security Research Failing? Five Practices to Change!Marcus Botacin
 
How do we detect malware? A step-by-step guide
How do we detect malware? A step-by-step guideHow do we detect malware? A step-by-step guide
How do we detect malware? A step-by-step guideMarcus Botacin
 
Extraindo Caracterı́sticas de Arquivos Binários Executáveis
Extraindo Caracterı́sticas de Arquivos Binários ExecutáveisExtraindo Caracterı́sticas de Arquivos Binários Executáveis
Extraindo Caracterı́sticas de Arquivos Binários ExecutáveisMarcus Botacin
 
On the Malware Detection Problem: Challenges & Novel Approaches
On the Malware Detection Problem: Challenges & Novel ApproachesOn the Malware Detection Problem: Challenges & Novel Approaches
On the Malware Detection Problem: Challenges & Novel ApproachesMarcus Botacin
 
All You Need to Know to Win a Cybersecurity Adversarial Machine Learning Comp...
All You Need to Know to Win a Cybersecurity Adversarial Machine Learning Comp...All You Need to Know to Win a Cybersecurity Adversarial Machine Learning Comp...
All You Need to Know to Win a Cybersecurity Adversarial Machine Learning Comp...Marcus Botacin
 
Near-memory & In-Memory Detection of Fileless Malware
Near-memory & In-Memory Detection of Fileless MalwareNear-memory & In-Memory Detection of Fileless Malware
Near-memory & In-Memory Detection of Fileless MalwareMarcus Botacin
 
Does Your Threat Model Consider Country and Culture? A Case Study of Brazilia...
Does Your Threat Model Consider Country and Culture? A Case Study of Brazilia...Does Your Threat Model Consider Country and Culture? A Case Study of Brazilia...
Does Your Threat Model Consider Country and Culture? A Case Study of Brazilia...Marcus Botacin
 
Integridade, confidencialidade, disponibilidade, ransomware
Integridade, confidencialidade, disponibilidade, ransomwareIntegridade, confidencialidade, disponibilidade, ransomware
Integridade, confidencialidade, disponibilidade, ransomwareMarcus Botacin
 
An Empirical Study on the Blocking of HTTP and DNS Requests at Providers Leve...
An Empirical Study on the Blocking of HTTP and DNS Requests at Providers Leve...An Empirical Study on the Blocking of HTTP and DNS Requests at Providers Leve...
An Empirical Study on the Blocking of HTTP and DNS Requests at Providers Leve...Marcus Botacin
 
On the Security of Application Installers & Online Software Repositories
On the Security of Application Installers & Online Software RepositoriesOn the Security of Application Installers & Online Software Repositories
On the Security of Application Installers & Online Software RepositoriesMarcus Botacin
 
The Internet Banking [in]Security Spiral: Past, Present, and Future of Online...
The Internet Banking [in]Security Spiral: Past, Present, and Future of Online...The Internet Banking [in]Security Spiral: Past, Present, and Future of Online...
The Internet Banking [in]Security Spiral: Past, Present, and Future of Online...Marcus Botacin
 
Análise do Malware Ativo na Internet Brasileira: 4 anos depois. O que mudou?
Análise do Malware Ativo na Internet Brasileira: 4 anos depois. O que mudou?Análise do Malware Ativo na Internet Brasileira: 4 anos depois. O que mudou?
Análise do Malware Ativo na Internet Brasileira: 4 anos depois. O que mudou?Marcus Botacin
 
Towards Malware Decompilation and Reassembly
Towards Malware Decompilation and ReassemblyTowards Malware Decompilation and Reassembly
Towards Malware Decompilation and ReassemblyMarcus Botacin
 
Reverse Engineering Course
Reverse Engineering CourseReverse Engineering Course
Reverse Engineering CourseMarcus Botacin
 
Malware Variants Identification in Practice
Malware Variants Identification in PracticeMalware Variants Identification in Practice
Malware Variants Identification in PracticeMarcus Botacin
 
Machine Learning for Malware Detection: Beyond Accuracy Rates
Machine Learning for Malware Detection: Beyond Accuracy RatesMachine Learning for Malware Detection: Beyond Accuracy Rates
Machine Learning for Malware Detection: Beyond Accuracy RatesMarcus Botacin
 

More from Marcus Botacin (20)

Machine Learning by Examples - Marcus Botacin - TAMU 2024
Machine Learning by Examples - Marcus Botacin - TAMU 2024Machine Learning by Examples - Marcus Botacin - TAMU 2024
Machine Learning by Examples - Marcus Botacin - TAMU 2024
 
Near-memory & In-Memory Detection of Fileless Malware
Near-memory & In-Memory Detection of Fileless MalwareNear-memory & In-Memory Detection of Fileless Malware
Near-memory & In-Memory Detection of Fileless Malware
 
[HackInTheBOx] All You Always Wanted to Know About Antiviruses
[HackInTheBOx] All You Always Wanted to Know About Antiviruses[HackInTheBOx] All You Always Wanted to Know About Antiviruses
[HackInTheBOx] All You Always Wanted to Know About Antiviruses
 
[Usenix Enigma\ Why Is Our Security Research Failing? Five Practices to Change!
[Usenix Enigma\ Why Is Our Security Research Failing? Five Practices to Change![Usenix Enigma\ Why Is Our Security Research Failing? Five Practices to Change!
[Usenix Enigma\ Why Is Our Security Research Failing? Five Practices to Change!
 
How do we detect malware? A step-by-step guide
How do we detect malware? A step-by-step guideHow do we detect malware? A step-by-step guide
How do we detect malware? A step-by-step guide
 
Extraindo Caracterı́sticas de Arquivos Binários Executáveis
Extraindo Caracterı́sticas de Arquivos Binários ExecutáveisExtraindo Caracterı́sticas de Arquivos Binários Executáveis
Extraindo Caracterı́sticas de Arquivos Binários Executáveis
 
On the Malware Detection Problem: Challenges & Novel Approaches
On the Malware Detection Problem: Challenges & Novel ApproachesOn the Malware Detection Problem: Challenges & Novel Approaches
On the Malware Detection Problem: Challenges & Novel Approaches
 
All You Need to Know to Win a Cybersecurity Adversarial Machine Learning Comp...
All You Need to Know to Win a Cybersecurity Adversarial Machine Learning Comp...All You Need to Know to Win a Cybersecurity Adversarial Machine Learning Comp...
All You Need to Know to Win a Cybersecurity Adversarial Machine Learning Comp...
 
Near-memory & In-Memory Detection of Fileless Malware
Near-memory & In-Memory Detection of Fileless MalwareNear-memory & In-Memory Detection of Fileless Malware
Near-memory & In-Memory Detection of Fileless Malware
 
Does Your Threat Model Consider Country and Culture? A Case Study of Brazilia...
Does Your Threat Model Consider Country and Culture? A Case Study of Brazilia...Does Your Threat Model Consider Country and Culture? A Case Study of Brazilia...
Does Your Threat Model Consider Country and Culture? A Case Study of Brazilia...
 
Integridade, confidencialidade, disponibilidade, ransomware
Integridade, confidencialidade, disponibilidade, ransomwareIntegridade, confidencialidade, disponibilidade, ransomware
Integridade, confidencialidade, disponibilidade, ransomware
 
An Empirical Study on the Blocking of HTTP and DNS Requests at Providers Leve...
An Empirical Study on the Blocking of HTTP and DNS Requests at Providers Leve...An Empirical Study on the Blocking of HTTP and DNS Requests at Providers Leve...
An Empirical Study on the Blocking of HTTP and DNS Requests at Providers Leve...
 
On the Security of Application Installers & Online Software Repositories
On the Security of Application Installers & Online Software RepositoriesOn the Security of Application Installers & Online Software Repositories
On the Security of Application Installers & Online Software Repositories
 
UMLsec
UMLsecUMLsec
UMLsec
 
The Internet Banking [in]Security Spiral: Past, Present, and Future of Online...
The Internet Banking [in]Security Spiral: Past, Present, and Future of Online...The Internet Banking [in]Security Spiral: Past, Present, and Future of Online...
The Internet Banking [in]Security Spiral: Past, Present, and Future of Online...
 
Análise do Malware Ativo na Internet Brasileira: 4 anos depois. O que mudou?
Análise do Malware Ativo na Internet Brasileira: 4 anos depois. O que mudou?Análise do Malware Ativo na Internet Brasileira: 4 anos depois. O que mudou?
Análise do Malware Ativo na Internet Brasileira: 4 anos depois. O que mudou?
 
Towards Malware Decompilation and Reassembly
Towards Malware Decompilation and ReassemblyTowards Malware Decompilation and Reassembly
Towards Malware Decompilation and Reassembly
 
Reverse Engineering Course
Reverse Engineering CourseReverse Engineering Course
Reverse Engineering Course
 
Malware Variants Identification in Practice
Malware Variants Identification in PracticeMalware Variants Identification in Practice
Malware Variants Identification in Practice
 
Machine Learning for Malware Detection: Beyond Accuracy Rates
Machine Learning for Malware Detection: Beyond Accuracy RatesMachine Learning for Malware Detection: Beyond Accuracy Rates
Machine Learning for Malware Detection: Beyond Accuracy Rates
 

Recently uploaded

Conjugation, transduction and transformation
Conjugation, transduction and transformationConjugation, transduction and transformation
Conjugation, transduction and transformationAreesha Ahmad
 
An introduction on sequence tagged site mapping
An introduction on sequence tagged site mappingAn introduction on sequence tagged site mapping
An introduction on sequence tagged site mappingadibshanto115
 
Velocity and Acceleration PowerPoint.ppt
Velocity and Acceleration PowerPoint.pptVelocity and Acceleration PowerPoint.ppt
Velocity and Acceleration PowerPoint.pptRakeshMohan42
 
GBSN - Biochemistry (Unit 1)
GBSN - Biochemistry (Unit 1)GBSN - Biochemistry (Unit 1)
GBSN - Biochemistry (Unit 1)Areesha Ahmad
 
Exploring Criminology and Criminal Behaviour.pdf
Exploring Criminology and Criminal Behaviour.pdfExploring Criminology and Criminal Behaviour.pdf
Exploring Criminology and Criminal Behaviour.pdfrohankumarsinghrore1
 
Thyroid Physiology_Dr.E. Muralinath_ Associate Professor
Thyroid Physiology_Dr.E. Muralinath_ Associate ProfessorThyroid Physiology_Dr.E. Muralinath_ Associate Professor
Thyroid Physiology_Dr.E. Muralinath_ Associate Professormuralinath2
 
pumpkin fruit fly, water melon fruit fly, cucumber fruit fly
pumpkin fruit fly, water melon fruit fly, cucumber fruit flypumpkin fruit fly, water melon fruit fly, cucumber fruit fly
pumpkin fruit fly, water melon fruit fly, cucumber fruit flyPRADYUMMAURYA1
 
The Mariana Trench remarkable geological features on Earth.pptx
The Mariana Trench remarkable geological features on Earth.pptxThe Mariana Trench remarkable geological features on Earth.pptx
The Mariana Trench remarkable geological features on Earth.pptxseri bangash
 
Grade 7 - Lesson 1 - Microscope and Its Functions
Grade 7 - Lesson 1 - Microscope and Its FunctionsGrade 7 - Lesson 1 - Microscope and Its Functions
Grade 7 - Lesson 1 - Microscope and Its FunctionsOrtegaSyrineMay
 
Climate Change Impacts on Terrestrial and Aquatic Ecosystems.pptx
Climate Change Impacts on Terrestrial and Aquatic Ecosystems.pptxClimate Change Impacts on Terrestrial and Aquatic Ecosystems.pptx
Climate Change Impacts on Terrestrial and Aquatic Ecosystems.pptxDiariAli
 
development of diagnostic enzyme assay to detect leuser virus
development of diagnostic enzyme assay to detect leuser virusdevelopment of diagnostic enzyme assay to detect leuser virus
development of diagnostic enzyme assay to detect leuser virusNazaninKarimi6
 
300003-World Science Day For Peace And Development.pptx
300003-World Science Day For Peace And Development.pptx300003-World Science Day For Peace And Development.pptx
300003-World Science Day For Peace And Development.pptxryanrooker
 
biology HL practice questions IB BIOLOGY
biology HL practice questions IB BIOLOGYbiology HL practice questions IB BIOLOGY
biology HL practice questions IB BIOLOGY1301aanya
 
Proteomics: types, protein profiling steps etc.
Proteomics: types, protein profiling steps etc.Proteomics: types, protein profiling steps etc.
Proteomics: types, protein profiling steps etc.Silpa
 
module for grade 9 for distance learning
module for grade 9 for distance learningmodule for grade 9 for distance learning
module for grade 9 for distance learninglevieagacer
 
POGONATUM : morphology, anatomy, reproduction etc.
POGONATUM : morphology, anatomy, reproduction etc.POGONATUM : morphology, anatomy, reproduction etc.
POGONATUM : morphology, anatomy, reproduction etc.Silpa
 
Chemistry 5th semester paper 1st Notes.pdf
Chemistry 5th semester paper 1st Notes.pdfChemistry 5th semester paper 1st Notes.pdf
Chemistry 5th semester paper 1st Notes.pdfSumit Kumar yadav
 
COMPUTING ANTI-DERIVATIVES (Integration by SUBSTITUTION)
COMPUTING ANTI-DERIVATIVES (Integration by SUBSTITUTION)COMPUTING ANTI-DERIVATIVES (Integration by SUBSTITUTION)
COMPUTING ANTI-DERIVATIVES (Integration by SUBSTITUTION)AkefAfaneh2
 

Recently uploaded (20)

Conjugation, transduction and transformation
Conjugation, transduction and transformationConjugation, transduction and transformation
Conjugation, transduction and transformation
 
An introduction on sequence tagged site mapping
An introduction on sequence tagged site mappingAn introduction on sequence tagged site mapping
An introduction on sequence tagged site mapping
 
Velocity and Acceleration PowerPoint.ppt
Velocity and Acceleration PowerPoint.pptVelocity and Acceleration PowerPoint.ppt
Velocity and Acceleration PowerPoint.ppt
 
GBSN - Biochemistry (Unit 1)
GBSN - Biochemistry (Unit 1)GBSN - Biochemistry (Unit 1)
GBSN - Biochemistry (Unit 1)
 
Exploring Criminology and Criminal Behaviour.pdf
Exploring Criminology and Criminal Behaviour.pdfExploring Criminology and Criminal Behaviour.pdf
Exploring Criminology and Criminal Behaviour.pdf
 
Thyroid Physiology_Dr.E. Muralinath_ Associate Professor
Thyroid Physiology_Dr.E. Muralinath_ Associate ProfessorThyroid Physiology_Dr.E. Muralinath_ Associate Professor
Thyroid Physiology_Dr.E. Muralinath_ Associate Professor
 
pumpkin fruit fly, water melon fruit fly, cucumber fruit fly
pumpkin fruit fly, water melon fruit fly, cucumber fruit flypumpkin fruit fly, water melon fruit fly, cucumber fruit fly
pumpkin fruit fly, water melon fruit fly, cucumber fruit fly
 
The Mariana Trench remarkable geological features on Earth.pptx
The Mariana Trench remarkable geological features on Earth.pptxThe Mariana Trench remarkable geological features on Earth.pptx
The Mariana Trench remarkable geological features on Earth.pptx
 
Grade 7 - Lesson 1 - Microscope and Its Functions
Grade 7 - Lesson 1 - Microscope and Its FunctionsGrade 7 - Lesson 1 - Microscope and Its Functions
Grade 7 - Lesson 1 - Microscope and Its Functions
 
Climate Change Impacts on Terrestrial and Aquatic Ecosystems.pptx
Climate Change Impacts on Terrestrial and Aquatic Ecosystems.pptxClimate Change Impacts on Terrestrial and Aquatic Ecosystems.pptx
Climate Change Impacts on Terrestrial and Aquatic Ecosystems.pptx
 
Clean In Place(CIP).pptx .
Clean In Place(CIP).pptx .Clean In Place(CIP).pptx .
Clean In Place(CIP).pptx .
 
development of diagnostic enzyme assay to detect leuser virus
development of diagnostic enzyme assay to detect leuser virusdevelopment of diagnostic enzyme assay to detect leuser virus
development of diagnostic enzyme assay to detect leuser virus
 
300003-World Science Day For Peace And Development.pptx
300003-World Science Day For Peace And Development.pptx300003-World Science Day For Peace And Development.pptx
300003-World Science Day For Peace And Development.pptx
 
PATNA CALL GIRLS 8617370543 LOW PRICE ESCORT SERVICE
PATNA CALL GIRLS 8617370543 LOW PRICE ESCORT SERVICEPATNA CALL GIRLS 8617370543 LOW PRICE ESCORT SERVICE
PATNA CALL GIRLS 8617370543 LOW PRICE ESCORT SERVICE
 
biology HL practice questions IB BIOLOGY
biology HL practice questions IB BIOLOGYbiology HL practice questions IB BIOLOGY
biology HL practice questions IB BIOLOGY
 
Proteomics: types, protein profiling steps etc.
Proteomics: types, protein profiling steps etc.Proteomics: types, protein profiling steps etc.
Proteomics: types, protein profiling steps etc.
 
module for grade 9 for distance learning
module for grade 9 for distance learningmodule for grade 9 for distance learning
module for grade 9 for distance learning
 
POGONATUM : morphology, anatomy, reproduction etc.
POGONATUM : morphology, anatomy, reproduction etc.POGONATUM : morphology, anatomy, reproduction etc.
POGONATUM : morphology, anatomy, reproduction etc.
 
Chemistry 5th semester paper 1st Notes.pdf
Chemistry 5th semester paper 1st Notes.pdfChemistry 5th semester paper 1st Notes.pdf
Chemistry 5th semester paper 1st Notes.pdf
 
COMPUTING ANTI-DERIVATIVES (Integration by SUBSTITUTION)
COMPUTING ANTI-DERIVATIVES (Integration by SUBSTITUTION)COMPUTING ANTI-DERIVATIVES (Integration by SUBSTITUTION)
COMPUTING ANTI-DERIVATIVES (Integration by SUBSTITUTION)
 

Análise de malware com suporte de hardware

  • 1. Introduction Research Final Remarks Hardware-Assisted Malware Analysis Marcus Botacin1, Andr´e Gr´egio3, Paulo L´ıcio de Geus2 1Msc. Candidate Institute of Computing - UNICAMP {marcus}@lasca.ic.unicamp.br 2Advisor Institute of Computing - UNICAMP {paulo}@lasca.ic.unicamp.br 3Co-Advisor Federal University of Paran´a (UFPR) gregio@inf.ufpr.br July 28th, 2017 Hardware-Assisted Malware Analysis IC-UNICAMP
  • 2. Introduction Research Final Remarks Topics 1 Introduction Malware Malware Analysis Anti-Analysis Transparency 2 Research A Survey Branch Monitoring 3 Final Remarks Conclusions Future Work Acknowledgments Hardware-Assisted Malware Analysis IC-UNICAMP
  • 3. Introduction Research Final Remarks Malware Topics 1 Introduction Malware Malware Analysis Anti-Analysis Transparency 2 Research A Survey Branch Monitoring 3 Final Remarks Conclusions Future Work Acknowledgments Hardware-Assisted Malware Analysis IC-UNICAMP
  • 4. Introduction Research Final Remarks Malware Malware Threats. Figure: Washington Post: https://tinyurl.com/ljo7ekm Figure: BBC: https://tinyurl.com/mfogjhe Hardware-Assisted Malware Analysis IC-UNICAMP
  • 5. Introduction Research Final Remarks Malware Analysis Topics 1 Introduction Malware Malware Analysis Anti-Analysis Transparency 2 Research A Survey Branch Monitoring 3 Final Remarks Conclusions Future Work Acknowledgments Hardware-Assisted Malware Analysis IC-UNICAMP
  • 6. Introduction Research Final Remarks Malware Analysis Malware Analysis. Figure: Imperva: https://tinyurl.com/zkbsnl2 Figure: Enigma: https://tinyurl.com/kydgwve Hardware-Assisted Malware Analysis IC-UNICAMP
  • 7. Introduction Research Final Remarks Malware Analysis More specifically... Static Analysis Analyzing without executing it. Dynamic Analysis Analyzing by executing it. Hardware-Assisted Malware Analysis IC-UNICAMP
  • 8. Introduction Research Final Remarks Anti-Analysis Topics 1 Introduction Malware Malware Analysis Anti-Analysis Transparency 2 Research A Survey Branch Monitoring 3 Final Remarks Conclusions Future Work Acknowledgments Hardware-Assisted Malware Analysis IC-UNICAMP
  • 9. Introduction Research Final Remarks Anti-Analysis Malware Analysis. Figure: Themerkle: https://tinyurl.com/kasuxcr Figure: Forbes: https://tinyurl.com/l7ecrex Hardware-Assisted Malware Analysis IC-UNICAMP
  • 10. Introduction Research Final Remarks Anti-Analysis What happens to static analysis? Control Flow Obfuscation Listing 1: Control flow obfuscation example. 1 entry : xor eax , eax 2 jnz %l 1 3 l 1 : xor eax , eax 4 jnz %l 2 5 l 2 : xor eax , eax 6 jnz %l 3 7 ln : . . . Hardware-Assisted Malware Analysis IC-UNICAMP
  • 11. Introduction Research Final Remarks Anti-Analysis What happens to static analysis? Path Explosion Figure: Source Image: https://tinyurl.com/n52fz5r Hardware-Assisted Malware Analysis IC-UNICAMP
  • 12. Introduction Research Final Remarks Anti-Analysis What happens to dynamic analysis? Debugger Detection Listing 2: Anti-debug example. 1 i f ( IsDebuggerPresent () ) 2 p r i n t f (” debuggedn ”) ; VM Detection Listing 3: Anti-vm example. 1 cpuid (0 x40000000 , &eax , &ebx , &ecx , &edx ) ; 2 memcpy( h y p e r v e n d o r i d + 0 , &ebx , 4) ; 3 i f ( ! strcmp ( hyper vendor id , ”VMwareVMware”) ) 4 p r i n t f (”VMn ”) ; Hardware-Assisted Malware Analysis IC-UNICAMP
  • 13. Introduction Research Final Remarks Anti-Analysis And then... Figure: Real malware claiming a registry problem when an anti-analysis trick succeeded. Hardware-Assisted Malware Analysis IC-UNICAMP
  • 14. Introduction Research Final Remarks Anti-Analysis And then... Figure: Commercial solution armored with anti-debug technique. Hardware-Assisted Malware Analysis IC-UNICAMP
  • 15. Introduction Research Final Remarks Anti-Analysis And then... Figure: Real malware impersonating a secure solution which cannot run under an hypervisor. Hardware-Assisted Malware Analysis IC-UNICAMP
  • 16. Introduction Research Final Remarks Transparency Topics 1 Introduction Malware Malware Analysis Anti-Analysis Transparency 2 Research A Survey Branch Monitoring 3 Final Remarks Conclusions Future Work Acknowledgments Hardware-Assisted Malware Analysis IC-UNICAMP
  • 17. Introduction Research Final Remarks Transparency Definitions 1 Higher privileged. 2 No non-privileged side-effects. 3 Identical Basic Instruction Semantics. 4 Transparent Exception Handling. 5 Identical Measurement of Time. Hardware-Assisted Malware Analysis IC-UNICAMP
  • 18. Introduction Research Final Remarks A Survey Topics 1 Introduction Malware Malware Analysis Anti-Analysis Transparency 2 Research A Survey Branch Monitoring 3 Final Remarks Conclusions Future Work Acknowledgments Hardware-Assisted Malware Analysis IC-UNICAMP
  • 19. Introduction Research Final Remarks A Survey HVM Figure: Type-1 Hypervisor. Source: https://tinyurl.com/ku7oho5 Hardware-Assisted Malware Analysis IC-UNICAMP
  • 20. Introduction Research Final Remarks A Survey HVM Figure: HVM operating layers . Hardware-Assisted Malware Analysis IC-UNICAMP
  • 21. Introduction Research Final Remarks A Survey HVM Figure: HVM memory operation. Hardware-Assisted Malware Analysis IC-UNICAMP
  • 22. Introduction Research Final Remarks A Survey HVM Figure: Ether’s architecture. Hardware-Assisted Malware Analysis IC-UNICAMP
  • 23. Introduction Research Final Remarks A Survey HVM Figure: Fattori’s architecture. Hardware-Assisted Malware Analysis IC-UNICAMP
  • 24. Introduction Research Final Remarks A Survey HVM Figure: Fattori’s traceable events. Hardware-Assisted Malware Analysis IC-UNICAMP
  • 25. Introduction Research Final Remarks A Survey HVM Figure: Fattori’s techniques. Hardware-Assisted Malware Analysis IC-UNICAMP
  • 26. Introduction Research Final Remarks A Survey HVM Figure: MAVMM’s overhead. Hardware-Assisted Malware Analysis IC-UNICAMP
  • 27. Introduction Research Final Remarks A Survey SMM Figure: Operation modes. Source: https://tinyurl.com/l2uqr8d Hardware-Assisted Malware Analysis IC-UNICAMP
  • 28. Introduction Research Final Remarks A Survey SMM Figure: SMIs. Source: https://tinyurl.com/kuqlmau Hardware-Assisted Malware Analysis IC-UNICAMP
  • 29. Introduction Research Final Remarks A Survey Battle of the rings Figure: Processor rings. Source: https://tinyurl.com/mzjezkg Hardware-Assisted Malware Analysis IC-UNICAMP
  • 30. Introduction Research Final Remarks A Survey AMT/ME Figure: Arstechnica. Source: https://tinyurl.com/kc62fw8 Hardware-Assisted Malware Analysis IC-UNICAMP
  • 31. Introduction Research Final Remarks A Survey SGX Figure: SGX enclaves. Source: https://tinyurl.com/ln6eb4g Hardware-Assisted Malware Analysis IC-UNICAMP
  • 32. Introduction Research Final Remarks A Survey External Hardware Figure: JTAG. Source: https://tinyurl.com/m8r79e8 Hardware-Assisted Malware Analysis IC-UNICAMP
  • 33. Introduction Research Final Remarks A Survey Branch Monitor Figure: Branch Stack. Hardware-Assisted Malware Analysis IC-UNICAMP
  • 34. Introduction Research Final Remarks A Survey Performance Monitor Figure: PMU-based side-effect detection. Source: https://tinyurl.com/m9zgphk Hardware-Assisted Malware Analysis IC-UNICAMP
  • 35. Introduction Research Final Remarks A Survey GPUs Figure: GPU. Source: https://tinyurl.com/lnhufn9 Hardware-Assisted Malware Analysis IC-UNICAMP
  • 36. Introduction Research Final Remarks A Survey TSX Figure: TSX-based CFI. Source: https://tinyurl.com/l8jfycj Hardware-Assisted Malware Analysis IC-UNICAMP
  • 37. Introduction Research Final Remarks Branch Monitoring Topics 1 Introduction Malware Malware Analysis Anti-Analysis Transparency 2 Research A Survey Branch Monitoring 3 Final Remarks Conclusions Future Work Acknowledgments Hardware-Assisted Malware Analysis IC-UNICAMP
  • 38. Introduction Research Final Remarks Branch Monitoring Proposed Framework Figure: Proposed framework architecture. Hardware-Assisted Malware Analysis IC-UNICAMP
  • 39. Introduction Research Final Remarks Branch Monitoring Could I develop a performance-counter-based malware analyzer? Could I isolate processes’ actions? Figure: Data Storage (DS) AREA. Hardware-Assisted Malware Analysis IC-UNICAMP
  • 40. Introduction Research Final Remarks Branch Monitoring Could I develop a performance-counter-based malware analyzer? Could I isolate processes’ actions? Figure: Local Vector Table (LVT). Hardware-Assisted Malware Analysis IC-UNICAMP
  • 41. Introduction Research Final Remarks Branch Monitoring Could I develop a performance-counter-based malware analyzer? Is CG reconstruction possible? Table: ASLR - Library placement after two consecutive reboots. Library NTDLL KERNEL32 KERNELBASE Address 1 0xBAF80000 0xB9610000 0xB8190000 Address 2 0x987B0000 0x98670000 0x958C0000 Hardware-Assisted Malware Analysis IC-UNICAMP
  • 42. Introduction Research Final Remarks Branch Monitoring Could I develop a performance-counter-based malware analyzer? Is CG reconstruction possible? Table: Function Offsets from ntdll.dll library. Function Offset NtCreateProcess 0x3691 NtCreateProcessEx 0x30B0 NtCreateProfile 0x36A1 NtCreateResourceManager 0x36C1 NtCreateSemaphore 0x36D1 NtCreateSymbolicLinkObject 0x36E1 NtCreateThread 0x30C0 NtCreateThreadEx 0x36F1 Hardware-Assisted Malware Analysis IC-UNICAMP
  • 43. Introduction Research Final Remarks Branch Monitoring Could I develop a performance-counter-based malware analyzer? Is CG reconstruction possible? Figure: Introspection Mechanism. Hardware-Assisted Malware Analysis IC-UNICAMP
  • 44. Introduction Research Final Remarks Branch Monitoring Could I develop a performance-counter-based malware analyzer? Is CG reconstruction possible? _lock_file+0x90printf+0xe3__iob_funcprintf+0xcaprintfNewToy Figure: Step Into. scanf+0x3f NewToy printf Figure: Step Over. Hardware-Assisted Malware Analysis IC-UNICAMP
  • 45. Introduction Research Final Remarks Branch Monitoring Is CFG reconstruction possible? Figure: Code block identification. Hardware-Assisted Malware Analysis IC-UNICAMP
  • 46. Introduction Research Final Remarks Branch Monitoring Is the final solution transparent? Identified tricks Listing 4: Fake Conditional. 1 0x190 xor eax , eax 2 0x192 jnz 0x19c Listing 5: Control Flow Change. 1 0x180 push 0x10a 2 0x185 r e t Hardware-Assisted Malware Analysis IC-UNICAMP
  • 47. Introduction Research Final Remarks Branch Monitoring Is the final solution transparent? Identified tricks Listing 6: Hook Detection. 1 0x340 cmp eax ,0 xe9 2 0x345 jnz 0x347 Listing 7: Hardware Debugger Detection. 1 0x400 QWORD PTR f s :0 x0 , rsp 2 0x409 mov rax ,QWORD PTR [ rsp+0xc ] 3 0x40e cmp rbx ,QWORD PTR [ rax+0x4 ] Hardware-Assisted Malware Analysis IC-UNICAMP
  • 48. Introduction Research Final Remarks Branch Monitoring Is the final solution transparent? Deviating Behavior Figure: Deviating behavior identification. Hardware-Assisted Malware Analysis IC-UNICAMP
  • 49. Introduction Research Final Remarks Branch Monitoring Is the final solution transparent? Deviating Behavior Figure: Divergence: True Positive. Figure: Divergence: False Positive. Hardware-Assisted Malware Analysis IC-UNICAMP
  • 50. Introduction Research Final Remarks Branch Monitoring Could I develop a Debugger? Inverted I/O Figure: Debugger’s working mechanism. Hardware-Assisted Malware Analysis IC-UNICAMP
  • 51. Introduction Research Final Remarks Branch Monitoring Could I develop a Debugger? Suspending Processes EnumProcessThreads + SuspendThread. DebugActiveProcess. NtSuspendProcess. Hardware-Assisted Malware Analysis IC-UNICAMP
  • 52. Introduction Research Final Remarks Branch Monitoring Could I develop a Debugger? Integration Figure: GDB integration. Hardware-Assisted Malware Analysis IC-UNICAMP
  • 53. Introduction Research Final Remarks Branch Monitoring Does the solution handle ROP attacks? ROP Attacks Figure: ROP chain example. Hardware-Assisted Malware Analysis IC-UNICAMP
  • 54. Introduction Research Final Remarks Branch Monitoring Does the solution handle ROP attacks? CALL-RET Policy Figure: CALL-RET CFI policy. Hardware-Assisted Malware Analysis IC-UNICAMP
  • 55. Introduction Research Final Remarks Branch Monitoring Does the solution handle ROP attacks? Gadget-size policy Figure: KBouncer’s exploit stack. Hardware-Assisted Malware Analysis IC-UNICAMP
  • 56. Introduction Research Final Remarks Branch Monitoring Does the solution handle ROP attacks? Exploit Analysis Table: Excerpt of the branch window of the ROP payload. FROM TO —- 0x7c346c0a 0x7c346c0b 0x7c37a140 0x7c37a141 —- Hardware-Assisted Malware Analysis IC-UNICAMP
  • 57. Introduction Research Final Remarks Branch Monitoring Does the solution handle ROP attacks? Exploit Analysis Listing 8: Static disassembly of the MSVCR71.dll library. 1 7 c346c08 : f2 0 f 58 c3 addsd %xmm3,%xmm0 2 7 c346c0c : 66 0 f 13 44 24 04 movlpd %xmm0,0 x4(%esp ) Listing 9: Dynamic disassembly of the MSVC71.dll executed code. 1 0x1000 ( s i z e =1) pop rax 2 0x1001 ( s i z e =1) r e t Hardware-Assisted Malware Analysis IC-UNICAMP
  • 58. Introduction Research Final Remarks Branch Monitoring Is the solution easy to implement? Lines of Code comparison 100 1000 10000 100000 1×106 Ether:Comp Ether:Xen Ether:Patches Ether:Patch Ether:Ctl MAVMM:Comp MAVMM:Rep Bit:Comp Our:Comp Our:Cli Our:Drv Our:Scr Lines of Code by solution Solution Figure: Lines of Code by solution. Hardware-Assisted Malware Analysis IC-UNICAMP
  • 59. Introduction Research Final Remarks Branch Monitoring Is the solution portable? Talking about Linux Listing 10: Linux BTS support (Source:https://tinyurl.com/mws6v8x 1 s t a t i c i n i t i n t b t s i n i t ( void ) 2 bts pmu . c a p a b i l i t i e s = PERF PMU CAP AUX NO SG | PERF PMU CAP ITRACE 3 bts pmu . t a s k c t x n r = p e r f s w c o n t e x t ; 4 bts pmu . e v e n t i n i t = b t s e v e n t i n i t ; 5 bts pmu . add = b t s e v e n t a d d ; 6 bts pmu . d e l = b t s e v e n t d e l ; 7 bts pmu . s t a r t = b t s e v e n t s t a r t ; 8 bts pmu . stop = b t s e v e n t s t o p ; 9 bts pmu . read = b t s e v e n t r e a d ; 10 r e t u r n p e r f p m u r e g i s t e r (&bts pmu , 11 ” i n t e l b t s ”,−1) Hardware-Assisted Malware Analysis IC-UNICAMP
  • 60. Introduction Research Final Remarks Branch Monitoring Is the solution portable? Talking about Linux Listing 11: Linux BTS support (Source:https://tinyurl.com/mx759d7) 1 p e r f i n i t (&pe , MMAP PAGES) ; 2 f c n t l ( g b l s t a t u s . fd evt , F SETOWN, get pid () ) ; 3 monitor loop ( p i d c h i l d , s o u t f i l e ) ; Hardware-Assisted Malware Analysis IC-UNICAMP
  • 61. Introduction Research Final Remarks Branch Monitoring Is solution’s overhead acceptable? Could the solution run in real-time? Task Base value System monitoring Penalty Benchmark monitoring Penalty Floating-point operations (op/s) 101530464 99221196 2.27% 97295048 4.17% Integer operations (op/s) 285649964 221666796 22.40% 219928736 23.01% MD5 Hashes (hash/s) 777633 568486 26.90% 568435 26.90% RAM transfer (MB/s) 7633 6628 13.17% 6224 18.46% HDD transfer (MB/s) 90 80 11.11% 75 16.67% Overall (benchm. pt) 518 470 9.27% 439 15.25% Hardware-Assisted Malware Analysis IC-UNICAMP
  • 62. Introduction Research Final Remarks Conclusions Topics 1 Introduction Malware Malware Analysis Anti-Analysis Transparency 2 Research A Survey Branch Monitoring 3 Final Remarks Conclusions Future Work Acknowledgments Hardware-Assisted Malware Analysis IC-UNICAMP
  • 63. Introduction Research Final Remarks Conclusions Lessons learned Transparency is essential. Hardware-assisted approaches may fulfill transparency requirements. There are open problems on hardware monitoring. Security, performance, and development efforts as trade-offs (really?). Performance monitors as lightweight alternatives. Hardware-Assisted Malware Analysis IC-UNICAMP
  • 64. Introduction Research Final Remarks Future Work Topics 1 Introduction Malware Malware Analysis Anti-Analysis Transparency 2 Research A Survey Branch Monitoring 3 Final Remarks Conclusions Future Work Acknowledgments Hardware-Assisted Malware Analysis IC-UNICAMP
  • 65. Introduction Research Final Remarks Future Work And now? Multi-core monitor. Linux Monitor. Malware clustering. Hardware-Assisted Malware Analysis IC-UNICAMP
  • 66. Introduction Research Final Remarks Future Work Solution’s Availability Figure: Solution’s Availability. Solution is public on github. https://github.com/marcusbotacin/BranchMonitoringProject Hardware-Assisted Malware Analysis IC-UNICAMP
  • 67. Introduction Research Final Remarks Acknowledgments Topics 1 Introduction Malware Malware Analysis Anti-Analysis Transparency 2 Research A Survey Branch Monitoring 3 Final Remarks Conclusions Future Work Acknowledgments Hardware-Assisted Malware Analysis IC-UNICAMP
  • 68. Introduction Research Final Remarks Acknowledgments Questions? Hardware-Assisted Malware Analysis IC-UNICAMP